coingraham/guard-duty-custodian.yaml

## guard-duty-custodian.yaml
policies:

 - name: ec2-guard-remediate
   resource: ec2
   mode:
     role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
     type: guard-duty
   filters:
     # Filter for medium and high severity events
     - type: event
       key: detail.severity
       op: gte
       value: 4.5
   actions:
     - stop

 - name: iam-guard-remediate
   resource: iam-user
   mode:
     role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
     type: guard-duty
   filters:
     # Only a particular type of event, go ahead and remove keys
     - type: event
       key: detail.type
       value: "UnauthorizedAccess:IAMUser/TorIPCaller"
   actions:
     - remove-keys
	policies:

	- name: ec2-guard-remediate
	resource: ec2
	mode:
	role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
	type: guard-duty
	filters:
	# Filter for medium and high severity events
	- type: event
	key: detail.severity
	op: gte
	value: 4.5
	actions:
	- stop

	- name: iam-guard-remediate
	resource: iam-user
	mode:
	role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
	type: guard-duty
	filters:
	# Only a particular type of event, go ahead and remove keys
	- type: event
	key: detail.type
	value: "UnauthorizedAccess:IAMUser/TorIPCaller"
	actions:
	- remove-keys